Commit | Line | Data |
---|---|---|
db33c77d CC |
1 | /* |
2 | * Bluetooth support for Realtek devices | |
3 | * | |
4 | * Copyright (C) 2015 Endless Mobile, Inc. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License as published by | |
8 | * the Free Software Foundation; either version 2 of the License, or | |
9 | * (at your option) any later version. | |
10 | * | |
11 | * This program is distributed in the hope that it will be useful, | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | * GNU General Public License for more details. | |
15 | * | |
16 | */ | |
17 | ||
18 | #include <linux/module.h> | |
19 | #include <linux/firmware.h> | |
20 | #include <asm/unaligned.h> | |
21 | #include <linux/usb.h> | |
22 | ||
23 | #include <net/bluetooth/bluetooth.h> | |
24 | #include <net/bluetooth/hci_core.h> | |
25 | ||
26 | #include "btrtl.h" | |
27 | ||
28 | #define VERSION "0.1" | |
29 | ||
30 | #define RTL_EPATCH_SIGNATURE "Realtech" | |
31 | #define RTL_ROM_LMP_3499 0x3499 | |
32 | #define RTL_ROM_LMP_8723A 0x1200 | |
33 | #define RTL_ROM_LMP_8723B 0x8723 | |
34 | #define RTL_ROM_LMP_8821A 0x8821 | |
35 | #define RTL_ROM_LMP_8761A 0x8761 | |
36 | ||
37 | static int rtl_read_rom_version(struct hci_dev *hdev, u8 *version) | |
38 | { | |
39 | struct rtl_rom_version_evt *rom_version; | |
40 | struct sk_buff *skb; | |
41 | ||
42 | /* Read RTL ROM version command */ | |
43 | skb = __hci_cmd_sync(hdev, 0xfc6d, 0, NULL, HCI_INIT_TIMEOUT); | |
44 | if (IS_ERR(skb)) { | |
45 | BT_ERR("%s: Read ROM version failed (%ld)", | |
46 | hdev->name, PTR_ERR(skb)); | |
47 | return PTR_ERR(skb); | |
48 | } | |
49 | ||
50 | if (skb->len != sizeof(*rom_version)) { | |
51 | BT_ERR("%s: RTL version event length mismatch", hdev->name); | |
52 | kfree_skb(skb); | |
53 | return -EIO; | |
54 | } | |
55 | ||
56 | rom_version = (struct rtl_rom_version_evt *)skb->data; | |
57 | BT_INFO("%s: rom_version status=%x version=%x", | |
58 | hdev->name, rom_version->status, rom_version->version); | |
59 | ||
60 | *version = rom_version->version; | |
61 | ||
62 | kfree_skb(skb); | |
63 | return 0; | |
64 | } | |
65 | ||
66 | static int rtl8723b_parse_firmware(struct hci_dev *hdev, u16 lmp_subver, | |
67 | const struct firmware *fw, | |
68 | unsigned char **_buf) | |
69 | { | |
70 | const u8 extension_sig[] = { 0x51, 0x04, 0xfd, 0x77 }; | |
71 | struct rtl_epatch_header *epatch_info; | |
72 | unsigned char *buf; | |
73 | int i, ret, len; | |
74 | size_t min_size; | |
75 | u8 opcode, length, data, rom_version = 0; | |
76 | int project_id = -1; | |
77 | const unsigned char *fwptr, *chip_id_base; | |
78 | const unsigned char *patch_length_base, *patch_offset_base; | |
79 | u32 patch_offset = 0; | |
80 | u16 patch_length, num_patches; | |
81 | const u16 project_id_to_lmp_subver[] = { | |
82 | RTL_ROM_LMP_8723A, | |
83 | RTL_ROM_LMP_8723B, | |
84 | RTL_ROM_LMP_8821A, | |
85 | RTL_ROM_LMP_8761A | |
86 | }; | |
87 | ||
88 | ret = rtl_read_rom_version(hdev, &rom_version); | |
89 | if (ret) | |
90 | return ret; | |
91 | ||
92 | min_size = sizeof(struct rtl_epatch_header) + sizeof(extension_sig) + 3; | |
93 | if (fw->size < min_size) | |
94 | return -EINVAL; | |
95 | ||
96 | fwptr = fw->data + fw->size - sizeof(extension_sig); | |
97 | if (memcmp(fwptr, extension_sig, sizeof(extension_sig)) != 0) { | |
98 | BT_ERR("%s: extension section signature mismatch", hdev->name); | |
99 | return -EINVAL; | |
100 | } | |
101 | ||
102 | /* Loop from the end of the firmware parsing instructions, until | |
103 | * we find an instruction that identifies the "project ID" for the | |
104 | * hardware supported by this firwmare file. | |
105 | * Once we have that, we double-check that that project_id is suitable | |
106 | * for the hardware we are working with. | |
107 | */ | |
108 | while (fwptr >= fw->data + (sizeof(struct rtl_epatch_header) + 3)) { | |
109 | opcode = *--fwptr; | |
110 | length = *--fwptr; | |
111 | data = *--fwptr; | |
112 | ||
113 | BT_DBG("check op=%x len=%x data=%x", opcode, length, data); | |
114 | ||
115 | if (opcode == 0xff) /* EOF */ | |
116 | break; | |
117 | ||
118 | if (length == 0) { | |
119 | BT_ERR("%s: found instruction with length 0", | |
120 | hdev->name); | |
121 | return -EINVAL; | |
122 | } | |
123 | ||
124 | if (opcode == 0 && length == 1) { | |
125 | project_id = data; | |
126 | break; | |
127 | } | |
128 | ||
129 | fwptr -= length; | |
130 | } | |
131 | ||
132 | if (project_id < 0) { | |
133 | BT_ERR("%s: failed to find version instruction", hdev->name); | |
134 | return -EINVAL; | |
135 | } | |
136 | ||
137 | if (project_id >= ARRAY_SIZE(project_id_to_lmp_subver)) { | |
138 | BT_ERR("%s: unknown project id %d", hdev->name, project_id); | |
139 | return -EINVAL; | |
140 | } | |
141 | ||
142 | if (lmp_subver != project_id_to_lmp_subver[project_id]) { | |
143 | BT_ERR("%s: firmware is for %x but this is a %x", hdev->name, | |
144 | project_id_to_lmp_subver[project_id], lmp_subver); | |
145 | return -EINVAL; | |
146 | } | |
147 | ||
148 | epatch_info = (struct rtl_epatch_header *)fw->data; | |
149 | if (memcmp(epatch_info->signature, RTL_EPATCH_SIGNATURE, 8) != 0) { | |
150 | BT_ERR("%s: bad EPATCH signature", hdev->name); | |
151 | return -EINVAL; | |
152 | } | |
153 | ||
154 | num_patches = le16_to_cpu(epatch_info->num_patches); | |
155 | BT_DBG("fw_version=%x, num_patches=%d", | |
156 | le32_to_cpu(epatch_info->fw_version), num_patches); | |
157 | ||
158 | /* After the rtl_epatch_header there is a funky patch metadata section. | |
159 | * Assuming 2 patches, the layout is: | |
160 | * ChipID1 ChipID2 PatchLength1 PatchLength2 PatchOffset1 PatchOffset2 | |
161 | * | |
162 | * Find the right patch for this chip. | |
163 | */ | |
164 | min_size += 8 * num_patches; | |
165 | if (fw->size < min_size) | |
166 | return -EINVAL; | |
167 | ||
168 | chip_id_base = fw->data + sizeof(struct rtl_epatch_header); | |
169 | patch_length_base = chip_id_base + (sizeof(u16) * num_patches); | |
170 | patch_offset_base = patch_length_base + (sizeof(u16) * num_patches); | |
171 | for (i = 0; i < num_patches; i++) { | |
172 | u16 chip_id = get_unaligned_le16(chip_id_base + | |
173 | (i * sizeof(u16))); | |
174 | if (chip_id == rom_version + 1) { | |
175 | patch_length = get_unaligned_le16(patch_length_base + | |
176 | (i * sizeof(u16))); | |
177 | patch_offset = get_unaligned_le32(patch_offset_base + | |
178 | (i * sizeof(u32))); | |
179 | break; | |
180 | } | |
181 | } | |
182 | ||
183 | if (!patch_offset) { | |
184 | BT_ERR("%s: didn't find patch for chip id %d", | |
185 | hdev->name, rom_version); | |
186 | return -EINVAL; | |
187 | } | |
188 | ||
189 | BT_DBG("length=%x offset=%x index %d", patch_length, patch_offset, i); | |
190 | min_size = patch_offset + patch_length; | |
191 | if (fw->size < min_size) | |
192 | return -EINVAL; | |
193 | ||
194 | /* Copy the firmware into a new buffer and write the version at | |
195 | * the end. | |
196 | */ | |
197 | len = patch_length; | |
198 | buf = kmemdup(fw->data + patch_offset, patch_length, GFP_KERNEL); | |
199 | if (!buf) | |
200 | return -ENOMEM; | |
201 | ||
202 | memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4); | |
203 | ||
204 | *_buf = buf; | |
205 | return len; | |
206 | } | |
207 | ||
208 | static int rtl_download_firmware(struct hci_dev *hdev, | |
209 | const unsigned char *data, int fw_len) | |
210 | { | |
211 | struct rtl_download_cmd *dl_cmd; | |
212 | int frag_num = fw_len / RTL_FRAG_LEN + 1; | |
213 | int frag_len = RTL_FRAG_LEN; | |
214 | int ret = 0; | |
215 | int i; | |
216 | ||
217 | dl_cmd = kmalloc(sizeof(struct rtl_download_cmd), GFP_KERNEL); | |
218 | if (!dl_cmd) | |
219 | return -ENOMEM; | |
220 | ||
221 | for (i = 0; i < frag_num; i++) { | |
222 | struct sk_buff *skb; | |
223 | ||
224 | BT_DBG("download fw (%d/%d)", i, frag_num); | |
225 | ||
226 | dl_cmd->index = i; | |
227 | if (i == (frag_num - 1)) { | |
228 | dl_cmd->index |= 0x80; /* data end */ | |
229 | frag_len = fw_len % RTL_FRAG_LEN; | |
230 | } | |
231 | memcpy(dl_cmd->data, data, frag_len); | |
232 | ||
233 | /* Send download command */ | |
234 | skb = __hci_cmd_sync(hdev, 0xfc20, frag_len + 1, dl_cmd, | |
235 | HCI_INIT_TIMEOUT); | |
236 | if (IS_ERR(skb)) { | |
237 | BT_ERR("%s: download fw command failed (%ld)", | |
238 | hdev->name, PTR_ERR(skb)); | |
239 | ret = -PTR_ERR(skb); | |
240 | goto out; | |
241 | } | |
242 | ||
243 | if (skb->len != sizeof(struct rtl_download_response)) { | |
244 | BT_ERR("%s: download fw event length mismatch", | |
245 | hdev->name); | |
246 | kfree_skb(skb); | |
247 | ret = -EIO; | |
248 | goto out; | |
249 | } | |
250 | ||
251 | kfree_skb(skb); | |
252 | data += RTL_FRAG_LEN; | |
253 | } | |
254 | ||
255 | out: | |
256 | kfree(dl_cmd); | |
257 | return ret; | |
258 | } | |
259 | ||
260 | static int btrtl_setup_rtl8723a(struct hci_dev *hdev) | |
261 | { | |
262 | const struct firmware *fw; | |
263 | int ret; | |
264 | ||
265 | BT_INFO("%s: rtl: loading rtl_bt/rtl8723a_fw.bin", hdev->name); | |
266 | ret = request_firmware(&fw, "rtl_bt/rtl8723a_fw.bin", &hdev->dev); | |
267 | if (ret < 0) { | |
268 | BT_ERR("%s: Failed to load rtl_bt/rtl8723a_fw.bin", hdev->name); | |
269 | return ret; | |
270 | } | |
271 | ||
272 | if (fw->size < 8) { | |
273 | ret = -EINVAL; | |
274 | goto out; | |
275 | } | |
276 | ||
277 | /* Check that the firmware doesn't have the epatch signature | |
278 | * (which is only for RTL8723B and newer). | |
279 | */ | |
280 | if (!memcmp(fw->data, RTL_EPATCH_SIGNATURE, 8)) { | |
281 | BT_ERR("%s: unexpected EPATCH signature!", hdev->name); | |
282 | ret = -EINVAL; | |
283 | goto out; | |
284 | } | |
285 | ||
286 | ret = rtl_download_firmware(hdev, fw->data, fw->size); | |
287 | ||
288 | out: | |
289 | release_firmware(fw); | |
290 | return ret; | |
291 | } | |
292 | ||
293 | static int btrtl_setup_rtl8723b(struct hci_dev *hdev, u16 lmp_subver, | |
294 | const char *fw_name) | |
295 | { | |
296 | unsigned char *fw_data = NULL; | |
297 | const struct firmware *fw; | |
298 | int ret; | |
299 | ||
300 | BT_INFO("%s: rtl: loading %s", hdev->name, fw_name); | |
301 | ret = request_firmware(&fw, fw_name, &hdev->dev); | |
302 | if (ret < 0) { | |
303 | BT_ERR("%s: Failed to load %s", hdev->name, fw_name); | |
304 | return ret; | |
305 | } | |
306 | ||
307 | ret = rtl8723b_parse_firmware(hdev, lmp_subver, fw, &fw_data); | |
308 | if (ret < 0) | |
309 | goto out; | |
310 | ||
311 | ret = rtl_download_firmware(hdev, fw_data, ret); | |
312 | kfree(fw_data); | |
313 | if (ret < 0) | |
314 | goto out; | |
315 | ||
316 | out: | |
317 | release_firmware(fw); | |
318 | return ret; | |
319 | } | |
320 | ||
321 | static struct sk_buff *btrtl_read_local_version(struct hci_dev *hdev) | |
322 | { | |
323 | struct sk_buff *skb; | |
324 | ||
325 | skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, | |
326 | HCI_INIT_TIMEOUT); | |
327 | if (IS_ERR(skb)) { | |
328 | BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)", | |
329 | hdev->name, PTR_ERR(skb)); | |
330 | return skb; | |
331 | } | |
332 | ||
333 | if (skb->len != sizeof(struct hci_rp_read_local_version)) { | |
334 | BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch", | |
335 | hdev->name); | |
336 | kfree_skb(skb); | |
337 | return ERR_PTR(-EIO); | |
338 | } | |
339 | ||
340 | return skb; | |
341 | } | |
342 | ||
343 | int btrtl_setup_realtek(struct hci_dev *hdev) | |
344 | { | |
345 | struct sk_buff *skb; | |
346 | struct hci_rp_read_local_version *resp; | |
347 | u16 lmp_subver; | |
348 | ||
349 | skb = btrtl_read_local_version(hdev); | |
350 | if (IS_ERR(skb)) | |
351 | return -PTR_ERR(skb); | |
352 | ||
353 | resp = (struct hci_rp_read_local_version *)skb->data; | |
354 | BT_INFO("%s: rtl: examining hci_ver=%02x hci_rev=%04x lmp_ver=%02x " | |
355 | "lmp_subver=%04x", hdev->name, resp->hci_ver, resp->hci_rev, | |
356 | resp->lmp_ver, resp->lmp_subver); | |
357 | ||
358 | lmp_subver = le16_to_cpu(resp->lmp_subver); | |
359 | kfree_skb(skb); | |
360 | ||
361 | /* Match a set of subver values that correspond to stock firmware, | |
362 | * which is not compatible with standard btusb. | |
363 | * If matched, upload an alternative firmware that does conform to | |
364 | * standard btusb. Once that firmware is uploaded, the subver changes | |
365 | * to a different value. | |
366 | */ | |
367 | switch (lmp_subver) { | |
368 | case RTL_ROM_LMP_8723A: | |
369 | case RTL_ROM_LMP_3499: | |
370 | return btrtl_setup_rtl8723a(hdev); | |
371 | case RTL_ROM_LMP_8723B: | |
372 | return btrtl_setup_rtl8723b(hdev, lmp_subver, | |
373 | "rtl_bt/rtl8723b_fw.bin"); | |
374 | case RTL_ROM_LMP_8821A: | |
375 | return btrtl_setup_rtl8723b(hdev, lmp_subver, | |
376 | "rtl_bt/rtl8821a_fw.bin"); | |
377 | case RTL_ROM_LMP_8761A: | |
378 | return btrtl_setup_rtl8723b(hdev, lmp_subver, | |
379 | "rtl_bt/rtl8761a_fw.bin"); | |
380 | default: | |
381 | BT_INFO("rtl: assuming no firmware upload needed."); | |
382 | return 0; | |
383 | } | |
384 | } | |
385 | EXPORT_SYMBOL_GPL(btrtl_setup_realtek); | |
386 | ||
387 | MODULE_AUTHOR("Daniel Drake <drake@endlessm.com>"); | |
388 | MODULE_DESCRIPTION("Bluetooth support for Realtek devices ver " VERSION); | |
389 | MODULE_VERSION(VERSION); | |
390 | MODULE_LICENSE("GPL"); |